@ebarretto from ~ubuntu-security previously reviewed tpm2-tss internally
- so am pasting that review here for completeness:
I've reviewed tpm2-tss 2.1.0-4 as checked into disco.
This shouldn't be considered a full audit but rather a quick gauge of
maintainability.
tpm2-tss is TCG's (Trusted Computing Group) implementation of TPM2 Software
Stack (TSS2).
No CVE history
Build-Depends:
autoconf
autoconf-archive
debhelper
docbook-xsl
libcmocka-dev
libgcrypt20-dev
libtool
pkg-config
xsltproc
postinst file on libtss2-udev_2.1.0-4_iall/DEBIAN/postinst
No post/prm rm for libtss2-udev
No postinst and post/pre rm for libtss2-dev and libtss2-esys0
No init scripts
No systemd services
No DBus services
No setuid
No binaries in PATH
No sudo fragments
Udev rule in libtss2-udev:
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", MODE="0660", OWNER="tss", GROUP="tss"
Test suite under test/. vTPM needed to run it, shouldn't be run against an
actual TPM.
test/unit/ - run during build
test/helper, test/integration and test/tpmclient also available.
No cron jobs
Some warnings but nothing to worry
dpkg-scanpackages: warning: Packages in archive but missing from override
file:
dpkg-scanpackages: warning: sbuild-build-depends-core-dummy
dpkg-scanpackages: warning: Packages in archive but missing from override
file:
dpkg-scanpackages: warning: sbuild-build-depends-core-dummy
sbuild-build-depends-tpm2-tss-dummy
dpkg-source: warning: extracting unsigned source package
(tpm2-tss_2.1.0-4.dsc)
Makefile-test.am:66: warning: variable 'ESYSCRY_LDFLAGS' is defined but no
program or
configure: WARNING: unrecognized options: --disable-maintainer-mode
configure: WARNING: doxygen not found - will not generate any doxygen
documentation
configure: WARNING: unrecognized options: --disable-maintainer-mode
debian/resourcemgr.xml:62: warning: failed to load external entity
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd";
debian/tpmclient.xml:62: warning: failed to load external entity
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd";
debian/tpmtest.xml:62: warning: failed to load external entity
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd";
# ERROR: 0
libtool: warning: relinking 'src/tss2-tcti/libtss2-tcti-device.la'
libtool: warning: relinking 'src/tss2-tcti/libtss2-tcti-mssim.la'
libtool: warning: relinking 'src/tss2-sys/libtss2-sys.la'
libtool: warning: relinking 'src/tss2-esys/libtss2-esys.la'
libtool: warning: remember to run 'libtool --finish
/usr/lib/x86_64-linux-gnu'
dpkg-gencontrol: warning: Depends field of package libtss2-dev:
substitution variable ${shlibs:Depends} used, but is not defined
dpkg-scanpackages: warning: Packages in archive but missing from override
file:
dpkg-scanpackages: warning: sbuild-build-depends-core-dummy
sbuild-build-depends-lintian-dummy sbuild-build-depends-tpm2-tss-dummy
No subprocesses spawned
Lots of memory operations, a quick look at them, they look safe
Just a few file IO operations, they all look ok
Lots of logging. A quick look at them, they look safe
tpm2-tss make use of the following environment variables:
./test/integration/sapi-test-options.c:107: env_str =
getenv(ENV_TCTI_NAME);
./test/integration/sapi-test-options.c:110: env_str =
getenv(ENV_DEVICE_FILE);
./test/integration/sapi-test-options.c:113: env_str =
getenv(ENV_SOCKET_ADDRESS);
./test/integration/sapi-test-options.c:116: env_str =
getenv(ENV_SOCKET_PORT);
./src/util/log.c:159: char *envlevel = getenv("TSS2_LOG");
No privileged operations
Encryption
src/tss2-esys/esys_crypto_ossl.c: make use of openssl crypto
functions/structures
and so on. To name a few: RSA, EVP MD.
src/tss2-esys/esys_crypto_gcrypt.c: make use of libgcrypt
functions/structures
to calculate hashes/HMAC/RSA/ECC/AES and so on.
Networking is used in TPM Command Transimission Interface (TCTI) module for
interaction with the Microsoft TPM2 simulator.
tcti-socket - TPM simulator TCTI library
tcti-socket is a library that abstracts the details of direct communication
with the interface and protocol exposed by the daemon hosting the TPM2
reference implementation. The interface exposed by this library is defined
in
the “TSS System Level API and TPM Command Transmission Interface
Specification”
specification.
No WebKit
No PolicyKit
Some shellcheck warnings for test scripts
The overall quality of the code looks good, really mature as one would
expect from a software stack.
Security team ACK for promoting tpm2-tss to main.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841595
Title:
[MIR] tpm2-tss
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tpm2-tss/+bug/1841595/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
